FTC: Cellphone apps could be violating privacy rights of children

By RICHARD LARDNERAssociated Press

Published: Monday, December 10, 2012 at 6:01 a.m.

Last Modified: Monday, December 10, 2012 at 11:27 p.m.

WASHINGTON — The government is investigating whether software companies that make cellphone apps violated the privacy rights of children by quietly collecting personal information from mobile devices and sharing it with advertisers and data brokers, the Federal Trade Commission said Monday. Such apps can capture a child’s physical location, phone numbers of their friends and more.

The FTC described the marketplace for mobile applications — dominated by online stores operated by Apple and Google — as a digital danger zone with inadequate oversight. In a report by the FTC’s own experts, it said the industry has grown rapidly but failed to ensure the privacy of young consumers is adequately protected. The FTC did not say which or how many companies it was investigating.

Among 400 apps designed for kids examined by the FTC, most failed to inform parents about the types of data the app could gather and who could access it, the report said. Other apps contained advertising that most parents would find objectionable or included links to Facebook, Twitter and other social media services where kids post information about themselves.

The report said mobile apps can siphon data to “invisible and unknown” third parties that could be used to develop a detailed profile of a child without a parent’s knowledge or consent.

“It’s not hypothetical that this information was shared,” said Jessica Rich, associate director of the FTC’s financial practices division.

The FTC also said it was investigating whether any of the apps developers engaged in unfair or deceptive trade practices, which would be illegal.

A trade group representing apps developers said the industry’s growth has been fueled largely by small businesses, first-time developers and even high school students who do not have legal departments or privacy experts on staff. The FTC’s report is a reminder of the importance of educating developers on best practices for privacy, the Washington-based Association for Competitive Technology said in a statement.

In one case mentioned in the FTC report, an app that allows children to paint pictures and save them in an online photo gallery didn’t indicate that it included advertising. But investigators said the app ran an ad across the bottom of the screen for an online dating service that said, “See 1000+ Singles.”

The FTC would not identify any companies it was investigating until a complaint is filed, Rich said. She said the agency expects the report will “light a fire” under the industry.

“We’re not naming names, in part because we think this is a systematic problem, and we don’t want people to think that if they avoid certain apps that they’re home free,” Rich said.

The commission is considering major changes to a 1998 law, the Children’s Online Privacy Protection Act, that would impose tougher online safeguards for children under 13. Technology companies have warned that the proposed changes are too aggressive and could discourage them from producing kid-friendly content on the Internet. But public interest groups have pushed hard for the changes, saying expanded use of mobile devices and methods for collecting personal data have outpaced rules put in place more than a decade ago.

The commissioners are expected to vote on the revisions to the law within weeks. Among the proposed changes is a requirement to prohibit the use of behavioral marketing techniques to track and target children unless a parent approves. The changes also would cover a category of location information and data known as “persistent identifiers” which allow a person to be tracked over time and across various websites and online services.

An apps game called Mobbles violated the law by collecting personal information from children under 13 without providing any notice to parents or attempting to obtain prior and verifiable consent, a public interest group alleged in a complaint it said it would file with the FTC on Tuesday. Mobbles is a location-based game for cellphones that allows kids to collect, care for and trade virtual pets like Krinker, a purple creature with a yellow flame on its head, according to the complaint from the Center for Digital Democracy in Washington.

Mobbles offers rewards that improve game performance to players who supply their email addresses, ask their friends by email to join Mobbles or use the app to buy “MobbDollars” with real money, the complaint said. The game’s “Catch a Mobble” feature gathers the physical addresses of children, according to the complaint.

The Mobbles Corp., which owns and operates the app, took the program offline from the app stores on Monday after reporters contacted the company about the complaint. Alexandre Curtelin, the chief executive officer of Mobbles, said in an email that the company is committed to ensuring the safety and protection of user privacy.

The new FTC report builds on an earlier survey of the mobile apps industry by the commission’s staff that urged apps stores and developers — along with the advertisers and brokers they work with — to be more open about how their programs work. The commission credited Apple and Google for new policies that encourage developers to publish their privacy policies clearly and in places that are easily accessible. But the FTC said there was too little progress, forcing it to take more aggressive steps.

As of September, Apple and Google combined offered more than 1.4 million apps for downloading, up from 880,000 in March, the FTC said.

Google said in a statement that it is reviewing the FTC’s report. Google informs consumers about what data an app can access and requires user approval before installation, the company said.

The staff randomly selected 200 apps each from the Google and Apple stores using the keyword “kids.” After testing the apps, they determined that 60 percent of them transmitted the user’s device identification to the software company or, more frequently, to advertising networks and data brokers that compile, analyze and sell consumer information for marketing campaigns.

The device ID is a string of letters or numbers that uniquely identifies each mobile device and can represent a pathway to more personal information, like a person’s name, phone number and email address. More than a dozen of the apps that transmitted device IDs also sent the user’s exact geographic location and phone number, the FTC said.

Only about 20 percent of the apps disclosed any information about the program’s privacy practices, and the FTC said many disclosures were inadequate.

“Many consisted of a link to a long, dense and technical privacy policy that was filled with irrelevant information and would be difficult for most parents to read and understand,” the report said.

More than 20 percent of the apps examined included links to social media services but few informed consumers about them before the program was downloaded. The FTC said the result was that children could post comments, photos or videos that could harm their reputations or offend other people.

Reader comments posted to this article may be published in our print edition. All rights reserved. This copyrighted material may not be re-published without permission. Links are encouraged.